Re: So apple WERE hacked then

but in true Apple spin, they use lots of long words to disguise that, enough to fool the target Apple audience into believing all cloud services are at risk, and only Apple got hacked, because that's what everyone that matters uses.

Re: So apple WERE hacked then

Re: Ah but they didn't used Password

The cloud is safe because of the measures in place. Users have to follow the instructions given to take advantage of the safety measures. Users also have to know that if a so-called friend were to use your mobile device, your photos can be easily copied out. Then your friend can post it by declaring they hacked into iCloud instead of admitting to stealing data from a friend. As an IT person since the early eighties, I don't put important stuff in remote servers. Think about it: those servers are set up by someone, and obviously those people can have unfettered access to anything in the servers. You trust them? Snowden?

Re: Ah but they didn't used Password

An important point not mentioned in the article: The main reason for enabling 2 step authentication is that it disables the security questions, so your account can no longer be compromised that way. Once it is enabled you can only reset your account credentials using a recovery code generated when you turn on 2 step auth. You need to keep this safe, because if you forget your password and don't have the recovery code all your iTunes purchases are gone, forever

That's why they go to the trouble of giving you a thumping great recovery key. If a user is too stupid to remember his password, and he's too dumb to print out his recovery key and put it in a safe place, he deserves a lot more than losing his iTunes purchases.

Two factor auth is a good thing - Apple's is not

Apple's implementation of two factor auth is shockingly shit. And I say that as a fully-fledged fanboi, currently using 6 apple products and having recently been through the nightmare of AppleID.

While traveling earlier in the year someone tried to access my account from overseas (Apple would never tell me where, but Russia, China or Nigeria seem likely) and Apple therefore disabled my password. No problem, I thought, I have two factor auth and as a ten year plus customer I can prove who I am. The trouble is nobody cares about that proof - If you don't have that reset code your AppleID is toast forever. No matter whether you can establish that you live at the address they have for that account or have the credit card in your possession linked to the account or anything else. Because they have the ability to disable your password, it is really three factor auth - you need the password, the device and the reset code.

Other things I learned:

. You cannot reuse any email associated with any former AppleID with a new one

. You lose ability to update pas from the old account, but not the apps themselves

. Music is fine as long as you had updated to non-drm versions

. Not sure about movies or TV shows as I don't download them from iTunes

. Audiobooks were OK

. After getting another appleID your devices are now still locked to the old one (using find my iPhone, iPad, etc) and it's another fucking nightmare to get Apple to unlock them. You have to send them receipts for all devices (including work owned) and then badger them for weeks

. Apple support do not know what to do after that - you have to install each device as new (not from backup) attach to new AppleID and then reconfigure everything manually.

. Apple support is useless during this entire process

. The apple store is even less useful

The whole process really made me question my commitment to a single vendor, but Google are even worse than apple in this regard (and less responsive, if that is possible) and Windows is so shockingly crap at this point its not even an option.

Re: Two factor auth is a good thing - Apple's is not

Re: Two factor auth is a good thing - Apple's is not

I can't believe that (it's so crap), if Apple have gone to the trouble of getting your address, credit card, and phone number then they might as well put them to some use - if all else fails they could send you a postcard with a code, charge a small random amount to the credit card and get you to confirm the value before refunding it, and/or ring your landline and get a robot to speak a code down it.

Re: Two factor auth is a good thing - Apple's is not

Why not just go to a genius bar where you get served?

Because those, err, "geniuses" have no better access to the backend system than you have via phone, they just queue less - they too are enthusiastically uninterested in client loyalty or the intelligent use of all that data they gather on you.

If you want to have a "lite" version of that suckiness, try moving country or living in more than one country. Apple's store will only accept a credit card from the country your store is set to (ditto for value vouchers that you would like to give someone) - there is no way AT ALL to give Apple any money from another country than your iTunes account is set to. You are thus forced to choose between risking your investment in Apps (and let's not forget, that includes all you have on OSX which can be quite a large amount) or, at a minimum accepting that they will no longer upgrade, or somehow keeping a credit card alive in the country you just left. It's as if like they've never heard of the fact that quite a lot of people who can afford their gear move around - almost like the MPAA who divided the world into regions so you were forced to choose between sponsoring the child molesting drug peddling terrorists of this world (I'm paraphrasing here slightly) by buying a pirated but otherwise good quality copy of a movie or the original which would only play until you got home.

It's a strong testament to the quality of the computing environment Apple create that they still sell IMHO. If you've ever been exposed to their Apple ID support you'd be forgiven for rethinking your decision to use Apple gear. I'd call it the RyanAir of IT support, but that would be insulting O'Leary, admittedly a hard thing to do...

Re: Security questions?

@Pen-y-gors - Exactly. I have taken to generating random strings in response to these questions. I look forward to the day when I have to answer security questions over the phone when my mother's maiden name is entered as "iyRdiaaEjH", for example.

Re: Security questions?

Forgot the site now, but the security questions had to be typed in by yourself and so had the answers. This meant you could think up any question you liked and put in any answer you liked. Think this was much better as the hackers would have a lot more work to do, to break in. Imagine putting in a question like "Color of first room in rented accommodation"? With an answer of something like "Magic" (think Terry Prachett).

Re: Security questions?

The trouble is that companies do not tell their customers what the "security questions" will be used for, and in some cases there are T&Cs that threaten the customer with dire consequences if they give any false information.

Re: Security questions?

Re: Security questions?

Re: Security questions?

What you do is you write them down and store them in a secure location. They call it "memorable information" but what matters is whether you can recover the information. It doesn't matter whether you can remember it.

Re: Security questions?

Caution: Apple do ask these questions is circumstances other than password recovery. I was asked for them at some point after getting my phone replaced under warrantee, though I can't remember now what action triggered the questioning. Make sure you print out your answers and put them somewhere otherwise you may be stuck at a critical time.

Re: Security questions?

Re: Security questions?

"Caution: Apple do ask these questions is circumstances other than password recovery."

Australia's my.gov.au website, now compulsory for individuals wanting to deal with tax online, does this too. I created my account with random gibberish for the "security" questions, then got locked out when I next went to use it.

So next I switched to idiot mode to ensure I would be able to actually log in next time. Whoops. As it turns out, to reset the password, all one has to do is guess 2 of the 3 insecurity questions, then enter a new password. No confirmation email. No SMS.

I expect the Australian government believe this is called Two Factor Authentication too.

or were used during the producers 'screen test' wink wink

Photos are meant to be seen

Presumably the photos were meant for the consumption of the celeb's special friend

Which means they have to be transmitted to, and viewable on, another device.

So you can have 97FA, require retina scans from all 3 eyes and a DNA sample - it doesn't really matter if you email them to somebody else.

Of course you could lock them to a single phone - but then having to go to your pet celeb's bedroom for her to unlock the phone and authorize it to display photos of her naked. While she is standing there - does seem to be a little counterproductive.

2FA

can also be done by sending the token to an email account. Chances are a person has access to a computer with internet access and iTunes if they're performing a restore. Moreover, if you had to obtain a new device to replace a lost one, you'll either be buying it from a store or visiting a store to replace your lost sim card. An inability to do multi-factor authentication in this situation is simply a lack of imagination.

"Security questions" aren't for security, they're to reduce support costs

Companies were tired of having people say "I forgot my password" and not having a way to establish their identity, so these security questions were invented. Only problem is that they act like passwords that are simpler to hack. If you're a public figure, or someone targets you, answering them honestly leaves you wide open.

When you only have to answer one or two of them correctly, and get multiple chances (probably unlimited) it is going to be a lot easier for guessing attacks to succeed as well. Which is easier, to brute force a complex password, or guess the name of the high school someone went to? Even if you don't know where they grew up, you can guess names like "City High" or "North High" and have you'll snag a lot of people. Ditto with a childhood pet, there are probably a few dozen names that cover half the pets people had as kids!

These security questions have spread like a plague of bad security practice, just as dumb as the policies that force you to use ever longer and more complex passwords, and still change them every 90 days - all but guaranteeing that they'll be written down somewhere.

The longest "memory" for passwords I have come across so far in a server, is 8. So you can spend a few minutes each 90 days updating your password 9 times, and on the 9th time set it back to what it was in the first place. Job done.

When I first started here, there was no minimum time and last five passwords remembered, so whenever someone got the 'change your password' notice, they just changed it five times, then changed it back to the original.

I've seen multiple cases where you can only change your password twice within a certain time frame (a few days I think) to prevent just this.

I suppose you could get back your old password over the course of a couple weeks, but it hardly seems worth the bother.

Better to figure out how much needs to be changed, and varying it like:

password1234

password2345

password3456

...

And yes, this is exactly why forcing people to change passwords regularly is a very poor excuse for a security policy, that unfortunately nearly every mindless twit security consultant considers gospel without even thinking about it, because "best practices".

Sure, force everyone to change their passwords if you have been (or suspect you've been) compromised. But making it happen as a normal course of business only makes people get creative in finding ways around it, or surrendering and keeping them written down on a sticky note, a card in their wallet, or saved in a "note" in their smartphone.

If they know your password they are doing "security" wrong. :)

"Law enforcement officials would be able to get ahold of this token from a suspect's PC while hackers might be able to obtain it through more nefarious means, either malware or phishing."

The difference between hackers and law enforcement breaking into your phone only differs in viewpoint, not in the methods they use. (Although it's probably cheaper to hire some skiddy to install a RAT rather than pay some security company to rent the software to do exactly the same)